Looking for PoCs of rootlayer.net in Amsterdam. - AS51447 and in upstream providers
irish.masms at gmail.com
Mon Feb 6 05:17:25 UTC 2023
Hello NANOG – longtime lurker, first time poster.
I am requesting some assistance today with stopping a pervasive malware
campaign being sent via email from multiple open proxies in the
following IP blocks:
22.214.171.124 - 126.96.36.199
188.8.131.52 - 184.108.40.206
This IP space is assigned to rootlayer.net in Amsterdam. - AS51447
% Abuse contact for 'AS51447' is 'complain at rootlayer.net'
All email has contained some sort of malicious code: ransomware,
trojans, info sealers, and other various malware (some known and some
brand new/not detected yet). The email content is spoofing various
legitimate companies and banks.
Since the beginning of the year when I became involved in a particular
customer (elderly owner of a small business), we have been sending at
least 5 complaints a day (one for each email) to complain at rootlayer.net,
all reporting has been ignored. The most recent spoof & malware email
was received at 16:33 PM PST 5 Feb 2023.
Frankly, we have grown tired of filing abuse complaints into the black
hole while an elderly gentleman is being targeted. I am not sure a
contact at Rootlayer will be helpful at this point, but if someone has a
contact it would be appreciated.
More importantly, anyone have a contact at their upstream providers that
may be able to beat down these criminal activities and Rootlayer?
AS49981 - WorldStream B.V.
AS49453 - Global Layer B.V.
Any assistance would be greatly appreciated – thank you.
More information about the NANOG